From c38b277887dc36531e7a3933d9a01e305f1daf83 Mon Sep 17 00:00:00 2001
From: MaysWind <i@mayswind.net>
Date: Sun, 3 Sep 2023 23:15:51 +0800
Subject: [PATCH] disabled user cannot use forget password

---
 pkg/api/forget_passwords.go | 17 ++++++++++++++++-
 pkg/errs/user.go            |  2 +-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/pkg/api/forget_passwords.go b/pkg/api/forget_passwords.go
index 2117b61f..39ad23ce 100644
--- a/pkg/api/forget_passwords.go
+++ b/pkg/api/forget_passwords.go
@@ -46,9 +46,14 @@ func (a *ForgetPasswordsApi) UserForgetPasswordRequestHandler(c *core.Context) (
 		return nil, errs.ErrUserNotFound
 	}
 
+	if user.Disabled {
+		log.WarnfWithRequestId(c, "[forget_passwords.UserForgetPasswordRequestHandler] user \"uid:%d\" is disabled", user.Uid)
+		return nil, errs.ErrUserIsDisabled
+	}
+
 	if !user.EmailVerified {
 		log.WarnfWithRequestId(c, "[forget_passwords.UserForgetPasswordRequestHandler] user \"uid:%d\" has not verified email", user.Uid)
-		return nil, errs.ErrEmptyIsNotVerified
+		return nil, errs.ErrEmailIsNotVerified
 	}
 
 	token, _, err := a.tokens.CreatePasswordResetToken(c, user)
@@ -89,6 +94,16 @@ func (a *ForgetPasswordsApi) UserResetPasswordHandler(c *core.Context) (interfac
 		return nil, errs.ErrUserNotFound
 	}
 
+	if user.Disabled {
+		log.WarnfWithRequestId(c, "[forget_passwords.UserResetPasswordHandler] user \"uid:%d\" is disabled", user.Uid)
+		return nil, errs.ErrUserIsDisabled
+	}
+
+	if !user.EmailVerified {
+		log.WarnfWithRequestId(c, "[forget_passwords.UserResetPasswordHandler] user \"uid:%d\" has not verified email", user.Uid)
+		return nil, errs.ErrEmailIsNotVerified
+	}
+
 	if user.Email != request.Email {
 		log.WarnfWithRequestId(c, "[forget_passwords.UserResetPasswordHandler] request email not equals the user email")
 		return nil, errs.ErrEmptyIsInvalid
diff --git a/pkg/errs/user.go b/pkg/errs/user.go
index dc40fa8d..67ea747d 100644
--- a/pkg/errs/user.go
+++ b/pkg/errs/user.go
@@ -26,5 +26,5 @@ var (
 	ErrEmptyIsInvalid               = NewNormalError(NormalSubcategoryUser, 17, http.StatusBadRequest, "email is invalid")
 	ErrEmailIsEmptyOrInvalid        = NewNormalError(NormalSubcategoryUser, 18, http.StatusBadRequest, "email is empty or invalid")
 	ErrNewPasswordEqualsOldInvalid  = NewNormalError(NormalSubcategoryUser, 19, http.StatusBadRequest, "new password equals old password")
-	ErrEmptyIsNotVerified           = NewNormalError(NormalSubcategoryUser, 20, http.StatusBadRequest, "email is not verified")
+	ErrEmailIsNotVerified           = NewNormalError(NormalSubcategoryUser, 20, http.StatusBadRequest, "email is not verified")
 )